10.2.3 PCI DDS

[Felipe Andres Concha Sepúlveda]

Hello everyone, I have a question

How can I comply with the PCI DDS 10.2.3 Access to all Audit trails control.

the documentation is not clear to me

[Manuel Jiménez]

Hello Felipe,

For compliance with this requirement, you need to verify any access to audit logs as they are often altered by individuals with fraudulent intentions. Keeping a check on audit log access will allow discovering if any changes, addition or deletion has been made by a particular user name.
Wazuh already provides PCI-DSS compliance, so in order to approach this one, you could use syscheck in order to monitor the audit logs and generate the security event that involves that certain compliance.

1. Edit your /var/ossec/etc/ossec.conf file. Find the following section

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

And avoid to ignore the .log files by editing it like this:

    <!-- File types to ignore -->
    <ignore type="sregex">.swp$</ignore>

Then, append the following configuration to your syscheck block:

<directories check_all="yes" whodata="yes" report_changes="yes" restrict="audit.log">/var/log/audit/</directories>

I hope that helps, please let me know if you have any question.

Regards,
Manuel

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAEBBC57-61A5-4117-9476-21CDF0BC5AFF%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

-

Manuel Jiménez Bernal

manuel....@wazuh.com

https://wazuh.com

[Felipe Andres Concha Sepúlveda]

Hello, thanks Manuel, I have done some tests, first by following the documentation on the web and then another test by following the steps you tell me and I have some questions:

1.-Following the documentation on the web:

a.- Install in wazuh manager, if it is not installed

 

# yum install audit

 

 

b.- Add the directory or file to follow up on the agent, in this case as we have an organization distributed in groups add the configuration in the agent.conf file of the group of agents.

 

 

 

 

c.-When creating a file and then making a modification to the file, alerts are generated

 

2.-When doing the steps that you tell me:

I can not find the field so I do not do anything

   <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

I apply the change you tell me, but here are some questions:

What does this restrict="audit.log. ?

What specifically audits this? Because when making a manual change for example in /var/log/secure or in /var/log/message. I would expect an alert to be triggered indicating who made a change in these files and when doing a test I do not see those alerts, can you clarify this?

<directories check_all="yes" whodata="yes" report_changes="yes" restrict="audit.log">/var/log/audit/</directories>

El 22-01-2019, a las 13:51, Manuel Jiménez <manuel....@wazuh.com> escribió:

Hello Felipe,

For compliance with this requirement, you need to verify any access to audit logs as they are often altered by individuals with fraudulent intentions. Keeping a check on audit log access will allow discovering if any changes, addition or deletion has been made by a particular user name.
Wazuh already provides PCI-DSS compliance, so in order to approach this one, you could use syscheck in order to monitor the audit logs and generate the security event that involves that certain compliance.

1. Edit your /var/ossec/etc/ossec.conf file. Find the following section

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

And avoid to ignore the .log files by editing it like this:

    <!-- File types to ignore -->
    <ignore type="sregex">.swp$</ignore>

Then, append the following configuration to your syscheck block:

<directories check_all="yes" whodata="yes" report_changes="yes" restrict="audit.log">/var/log/audit/</directories>

I hope that helps, please let me know if you have any question.

Regards,
Manuel

On Tue, Jan 22, 2019 at 12:15 PM Felipe Andres Concha Sepúlveda <felipeandresc...@gmail.com> wrote:

Hello everyone, I have a question

How can I comply with the PCI DDS 10.2.3 Access to all Audit trails control.

the documentation is not clear to me

<PastedGraphic-5.png>

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAEBBC57-61A5-4117-9476-21CDF0BC5AFF%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Manuel Jiménez]

Hello Felipe,

Sorry for the late reply. Regarding your questions:

What does this restrict="audit.log. ?

According to the documentation about the restrict option :

Limit checks to files containing the entered string in the file name.
Any directory or file name (but not a path) is allowed

That means that in the /var/log/ directory, the audit.log file will be monitored. That’s what the 10.2.3 PCI-DSS rule is about. Maybe you’re not currently receiving any alert because of the ignore statement in the ossec.conf file:

<!-- File types to ignore -->
<ignore type="sregex">**.log$|**.swp$</ignore>

Notice that, by default, syscheck ignores any log file, so you have to avoid it by editing that to this:

<!-- File types to ignore -->
<ignore type="sregex">**.swp$</ignore>

Put that statement into your syscheck block of your group'sagent.conf, it will be pushed to the agents.

Let me know if you still have any question.

Best regards,
Manuel

[Pedro Sánchez]

Hi Felipe, Manu,

It is not recommended to monitor log files using FIM engine, not with schedule-based scans neither in real-time.

According to the configuration in previous emails, the agent will send one event every time audit.log changes, which potentially can be hundreds of times per second, overloading the manager and network.

A log file is supposed to change, a lot, so it is not a good candidate to be monitored with FIM.

Regarding PCI DSS control 10.2.3, Logcollector component is able to detect automatically if a log file has been truncated (size decreased), cleared or rotated:

https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0015-ossec_rules.xml#L247-L268 

<!-- File rotation/ reduced rules -->
<rule id="591" level="3">
<if_sid>500</if_sid>
<match>^ossec: File rotated </match>
<description>Log file rotated.</description>
<group>pci_dss_10.5.2,pci_dss_10.5.5,gpg13_10.1,gdpr_II_5.1.f,gdpr_IV_35.7.d,</group>
</rule>
<rule id="592" level="8">
<if_sid>500</if_sid>
<match>^ossec: File size reduced</match>
<description>Log file size reduced.</description>
<group>attacks,pci_dss_10.5.2,pci_dss_11.4,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>
<rule id="593" level="9">
<if_sid>500</if_sid>
<match>^ossec: Event log cleared</match>
<description>Microsoft Event log cleared.</description>
<group>logs_cleared,pci_dss_10.5.2,gpg13_10.1,gdpr_II_5.1.f,gdpr_IV_35.7.d,</group>
</rule>

It will help you to detect any log file modification.

Next thing to do, in my opinion, is configured FIM to monitor log files which already have been rotated and/or compressed.

I hope it helps, best regards,

Pedro de Castro.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAAz-jY7hcOER0AfK8ubRZ2PqnkG8zAVHV4ywTH3GRc%2BoAHoXJA%40mail.gmail.com.

[Felipe Andres Concha Sepúlveda]

Hi Pedro, thanks for the information, yes, you're right. Activating the FIM for records that change constantly is not good, I did some tests and generated too many alerts that were not necessary.

We are working with the QSA Auditor to certify PCI an environment and within that environment we have some Windows and Linux machines, so the auditor demands the following:

10.2.3 Access to all audit trails

Regarding this requirement it is required that an alert can be generated every time a person makes some modification in the windows and Linux log.

Example: /var/log/secure   /var/log/messages   /var/log/lastlog.    etc...

With the information you give me, I comply with some things that the auditor asks me, but not the identification of who made changes in the log files.

Will there be some way to do this?

In the same way, could you help me with how I complied with each of these controls with Wazuh?

especially regarding the log files :)

• 10.2.1 All individual user accesses to cardholder data
• 10.2.2 All actions taken by any individual with root or administrative privileges
• 10.2.3 Access to all audit trails
• 10.2.4 Invalid logical access attempts
• 10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges
• 10.2.6 Initialization, stopping, or pausing of the audit logs
• 10.2.7 Creation and deletion of system-level objects

Saludos,

Felipe

<image001.png>

 

 

 

c.-When creating a file and then making a modification to the file, alerts are generated

 

<image002.png>

[Pedro Sánchez]

Hi Felipe,

Sorry for the really late response, I had this email on my inbox for centuries.

Is still there anything I can do to help?

Regarding the PCI controls you ask for, I think this document we have can help: https://wazuh.com/resources/Wazuh_PCI_DSS_Guide.pdf

Regarding "who" did the modification on the log files, I have my doubts, just because you can use FIM for track those changes the matter is, I never recommend to set up FIM to monitor a log file, it is recommended to monitor those files which are not supposed to change (binaries for example, or configuration files), if you monitor a log file, it will generate an alert every time the file changes and that could produce a lot of alerts.

Maybe you can use the schedule commands execution and check the permission/group of the file and send a report back to the manager.

I hope it helps, best regards,

Pedro.